Privacy Policy
This policy explains what data we collect, why we collect it, who we share it with, and what control you have over it.
1. Plain-language summary
Here is the gist, in two sentences. We collect the information you submit through our intake form, the email address you use to authenticate, and the payment information Stripe shares back with us, and we use that to build, deliver, and host your website. We do not sell your information, we use a small list of well-known providers (Anthropic, Stripe, Resend, Supabase, Cloudflare, Netlify) to operate the service, and you have the right to access, correct, export, or delete your information at any time by emailing support@schematic.work.
The rest of this page explains all of that in more detail and in the language regulators expect.
2. Scope & who we are
This Privacy Policy describes how Schematic ("Schematic", "we", "us", "our") handles personal information when you use our website at https://schematic.work, our intake form, and any related services (collectively, the "Services"). Schematic is operated by Brianna Brunner, an individual proprietor based in the United States, doing business as Schematic.
For purposes of the EU/UK GDPR, Schematic is the "controller" of personal information collected through the Services about you, the customer. For information that visitors submit to your customer-facing website (for example, through a contact form on a site we built and host for you), you are the controller and we act as your "processor". We process that information on your behalf under these terms and your instructions.
3. Information we collect
We collect the following categories of personal information:
3.1 Information you provide directly
- Account information. Your email address, used to authenticate via email magic link.
- Order brief information. The contents of the form: business name, tagline, industry, audience description, sitemap, page-purpose notes, copy you upload or paste, brand colors, fonts, style references (URLs of sites you like), uploaded logo and media files, integration credentials you choose to share (e.g. a Google Analytics measurement ID, a Calendly URL, a Stripe Payment Link, a Mailchimp form action URL), the email address where contact-form submissions should be forwarded, your existing domain name (if any), and any free-text notes you add.
- Payment information. When you pay, you submit billing information directly to Stripe. We receive a confirmation from Stripe that includes the charge amount, currency, payment status, the last four digits of the card, the card brand, the country of issuance, and the order ID we passed to Stripe. We do not see or store your full card number, CVV, or full billing address.
- Communications. If you email us, we keep a record of the email and any attachments so we can respond to you and for our records.
3.2 Information collected automatically
- Server logs. When you load the Site or call our endpoints, our hosting and serverless function providers (Netlify, Cloudflare) automatically collect basic technical information including your IP address, user agent, the URL requested, the response code, the timestamp, and a unique request ID. We use this for security, abuse prevention, debugging, and rate-limiting.
- Analytics. We use Cloudflare Web Analytics, a privacy-respecting analytics service that does not use cookies or fingerprinting and does not collect personally identifiable information. It tells us aggregate page views and rough geographic distribution, nothing more.
- Bot-protection signals. Cloudflare Turnstile may evaluate browser characteristics to determine whether a request is from a human. Turnstile is designed to be privacy-preserving and does not, by design, collect or share data that personally identifies you.
3.3 Information from third parties
We receive information from third parties who help us operate the Services:
- Stripe sends us payment confirmations and dispute notifications.
- Resend sends us delivery, bounce, and complaint events for the emails we send on your behalf.
- Cloudflare may report DDoS or abuse events tied to your IP.
4. Where we collect it from
Almost all of the information we collect comes from you. We collect it (a) when you visit the Site; (b) when you submit the intake form; (c) when you sign in via email; (d) when you pay via Stripe (which collects on our behalf); (e) when you contact us; and (f) when our infrastructure providers automatically log the technical metadata of your requests, as described above.
5. How we use information
We use personal information for the following purposes:
- To deliver the Services. Generate, review, and deliver your Build using your Brief; host your Build (if you have Schematic Hosted); register and route DNS for your domain (if you have Domain Registration); forward submissions from your contact form; send transactional email about your order.
- To process payments. Send payment instructions to Stripe and reconcile against received confirmations.
- To communicate with you. Send order confirmations, preview links, "your site is live" notices, regeneration confirmations, billing receipts, security notices, and operational updates. From time to time we may also send you a low-volume product update if you've placed a paid Order.
- To prevent abuse. Apply rate limits, run bot checks via Cloudflare Turnstile, and enforce the one-free-Order-per-customer limit.
- To improve the platform. Aggregate non-identifying usage information to understand which features are used, where errors occur, and how to improve quality.
- To comply with the law. Retain records required by tax, accounting, anti-fraud, or other legal obligations; respond to lawful requests; protect our rights and the rights of others.
We do not use personal information to train any AI model. The information you submit is sent to Anthropic for the limited purpose of generating your Build, under terms with Anthropic that prohibit training on our customers' data. See Section 8.
6. Legal basis for processing (GDPR)
If the GDPR or UK GDPR applies to you, we rely on the following legal bases:
- Performance of a contract, to deliver the Services you ordered.
- Legitimate interests, to operate, secure, and improve the Services, and to communicate with you about active orders, where those interests are not overridden by your rights.
- Legal obligation, to retain payment and tax records, and to respond to lawful requests.
- Consent, for any processing that requires it (for example, if we ever introduce optional analytics or marketing communications). You can withdraw consent at any time without affecting prior processing.
7. When we share information
We do not sell your personal information, and we do not share it with advertisers. We share information only as described below:
- With sub-processors who run parts of our infrastructure on our behalf, listed in Section 8. They are contractually required to use the information only to provide their service to us.
- With your authorization. For example, when you select an integration like Calendly or Mailchimp, we embed code that allows that vendor to receive interaction data directly from your visitors. We disclose this in the form before you select.
- For legal reasons. If we are required to do so by law, by valid legal process, or to protect the rights, property, or safety of Schematic, our customers, or others.
- In connection with a business transaction. If Schematic is involved in a merger, acquisition, financing, sale of assets, or insolvency, personal information may be transferred as part of the transaction. We will notify affected customers in advance where practical.
8. Sub-processors we rely on
The following providers process personal information on our behalf:
| Provider | Purpose | Location |
|---|---|---|
| Anthropic, PBC | AI generation of your Build from your Brief; we do not authorize use of your data for model training. | United States |
| Stripe, Inc. | Payment processing, fraud prevention, billing for recurring subscriptions. | United States |
| Resend Inc. | Transactional and contact-form email delivery. | United States |
| Supabase, Inc. | Authentication and order database. | United States |
| Cloudflare, Inc. | DNS, CDN, bot protection (Turnstile), analytics (Web Analytics), email routing, hosting (Pages), domain registrar. | Global edge; corporate United States |
| Netlify, Inc. | Web hosting and serverless functions for the Schematic Site itself. | United States |
We may add or replace sub-processors as our infrastructure evolves. Material changes to this list will be reflected here, and customers with active Schematic Hosted subscriptions will be notified by email.
9. Cookies & similar technologies
The Schematic Site uses a small number of cookies and equivalent storage technologies:
- Authentication cookies set by Supabase Auth so you stay signed in across pages of the form.
- Local storage in your browser to preserve your in-progress form input, so you don't lose work if you accidentally close the tab.
- Bot-protection storage set transiently by Cloudflare Turnstile during a verification challenge.
We do not use third-party advertising cookies, retargeting pixels, or analytics that fingerprint individual users on the Schematic Site itself. Sites we build for you may include such technology if you select integrations like Meta Pixel or Google Analytics, that is your choice as the operator of your site, and your visitors are subject to those vendors' policies.
10. Data retention
We retain personal information for the following default periods, and may retain it longer where required by law:
- Order records (your Brief, payment records, generated Build): seven (7) years from the order date, to support tax, accounting, dispute resolution, and customer support.
- Authentication records for inactive accounts (no Order placed in twenty-four (24) months and no active subscription): deleted within thirty (30) days after the inactivity threshold is reached.
- Email correspondence: three (3) years from the date of the last message in the thread.
- Server logs retained by Netlify, Cloudflare, or Supabase: per their respective retention defaults, typically thirty (30) to ninety (90) days.
- Hosted Site content: retained for as long as your Hosted subscription is active. After cancellation we keep an archive for thirty (30) days to support undo requests, then permanently delete it.
- Customer-site contact-form submissions forwarded by us: not stored after delivery, except in transient delivery logs (typically less than thirty (30) days).
You can request deletion sooner, see Section 12.
11. Security
We use commercially reasonable technical and organizational safeguards to protect personal information, including TLS for data in transit, encryption at rest by our database and hosting providers, role-scoped database access, multi-factor authentication on operator accounts, automatic patching of dependencies, and bot-protection on submission endpoints.
No method of transmission or storage is one hundred percent secure. We cannot guarantee absolute security. If we discover a breach affecting your personal information, we will notify you and applicable authorities as required by law.
12. Your rights
Wherever you are located, you have the right to:
- Access the personal information we hold about you.
- Correct information that is inaccurate or out of date.
- Delete your personal information, subject to retention requirements imposed by law (for example, we may need to retain payment records for tax purposes).
- Export the personal information you provided to us in a portable, machine-readable format.
- Object to or restrict certain processing.
- Withdraw consent for any processing based on consent.
- Lodge a complaint with your local data-protection authority. We hope you'll contact us first so we can resolve any concerns.
To exercise any of these rights, email support@schematic.work from the email address associated with your account, or include enough information for us to locate your records. We will respond within thirty (30) days, or sooner where required by law. Exercising your rights is free, but we may charge a reasonable fee for manifestly unfounded or repetitive requests, or refuse them.
13. California addendum (CCPA / CPRA)
If you are a California resident, you have the rights described in Section 12, plus the following CCPA/CPRA-specific rights:
- The right to know the specific pieces of personal information we have collected about you, the sources we collected them from, the purposes we used them for, and the categories of third parties we disclosed them to.
- The right to delete personal information, subject to legal exceptions.
- The right to correct inaccurate personal information.
- The right to limit the use and disclosure of sensitive personal information. We do not collect categories of sensitive personal information beyond your account email address and information you voluntarily include in your Brief.
- The right to opt out of the "sale" or "sharing" of personal information for cross-context behavioral advertising. Schematic does not sell personal information and does not engage in cross-context behavioral advertising.
- The right to non-discrimination for exercising any of these rights.
To exercise California rights, email support@schematic.work. We will verify the request using the email address associated with your account.
14. UK / EEA / Swiss addendum
If you are in the United Kingdom, the European Economic Area, or Switzerland, the data-protection rights described in Section 12 apply to you under the UK GDPR, the EU GDPR, or the Swiss Federal Act on Data Protection (FADP) respectively. The lawful bases on which we rely are described in Section 6.
You have the right to lodge a complaint with the supervisory authority in your country of residence. The Information Commissioner's Office (ICO) is the UK's authority; the European Data Protection Board lists each EU national authority; the Federal Data Protection and Information Commissioner (FDPIC) is the Swiss authority.
Schematic does not currently have an EU representative because the volume and frequency of EU-resident processing falls below the threshold under Article 27(2)(a) GDPR. If our processing changes such that an EU representative is required, we will appoint one and update this section.
15. International transfers
Schematic operates from the United States, and most of our sub-processors are headquartered in the United States. If you access the Services from outside the United States, your information will be transferred to and processed in the United States and other countries that may have data-protection laws different from those of your country.
Where transfers from the EEA, UK, or Switzerland to the United States or other third countries occur, we rely on appropriate transfer mechanisms, including the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, in addition to contractual safeguards with our sub-processors. Where one of our sub-processors is certified under the EU-US Data Privacy Framework or its UK or Swiss extensions, we rely on that certification as well.
16. Children's privacy
The Services are not directed to children under the age of sixteen (16), and we do not knowingly collect personal information from children. If you are a parent or guardian and you believe your child has provided personal information to us, contact us at support@schematic.work and we will delete it promptly.
17. Sites we build for you
This Privacy Policy applies to your use of the Schematic Service. It does not apply to the websites we build and host for you. When we deliver your Build, you become responsible for your visitors' privacy in the same way any website operator is responsible to its visitors. Your auto-included Privacy and Terms pages are templated and customized to your business; you should review them with your own counsel to ensure they accurately describe your specific operations.
To help you do that:
- The auto-generated contact-form forwarder uses Cloudflare Turnstile and Resend, as described above. We disclose this in the templated Privacy page on your site.
- If you select an integration that drops third-party tracking on your visitors (Meta Pixel, Google Analytics, etc.), the templated Privacy page will list it. You are responsible for adjusting the templated language to reflect any other tracking you add later.
- The templated Privacy page is a starting point, not a substitute for legal advice tailored to your specific business.
18. Do Not Track & Global Privacy Control
The Schematic Site does not respond to "Do Not Track" (DNT) browser signals because there is no industry-wide consensus on how to honor them. We do recognize the Global Privacy Control (GPC) signal and treat it as a CCPA opt-out preference for our California visitors, but because we do not "sell" or "share" personal information for cross-context behavioral advertising, the practical effect of GPC on our processing is limited.
19. Changes to this policy
We may update this policy from time to time. The "Last updated" date at the top reflects the most recent revision. If we make a material change, for example, adding a new sub-processor, expanding the categories of information we collect, or changing how long we retain it, we will email customers with active Orders or subscriptions in advance, and we will post a banner on the Site for at least thirty (30) days following the change.
20. How to contact us
For questions about this policy, to exercise any of the rights described above, or to report a concern, contact:
Schematic, Privacy
Email: support@schematic.work
Subject line preference: Privacy: [your topic]
Web: https://schematic.work
We do not currently have a designated Data Protection Officer, but the operator of Schematic personally reviews every privacy request received at this address.
This policy describes Schematic's practices as a small operator providing the Services described in our Terms of Service. As Schematic's operations evolve, this policy will be updated to reflect a different legal structure, an expanded provider list, or new product capabilities. The latest version always lives at https://schematic.work/privacy.html.